I just came across a study done by AOL and the NCSA (National Cyber Security Alliance) on security of the home PC. Unfortunately, the results seem to follow an all too familiar pattern.

I’ve been helping people clean up their computers for quite some time now. Personally, I’ve been pretty lucky on the whole and only had a few run-ins with viruses and probably only two of them have caused me much heartburn. However, I’ve seen some really messed up computers and I’ll have to say the results of that little study don’t surprise me at all. It’s interesting that the article touches on who is responsible for internet security: software companies or consumers. I believe the responsibility falls on both parties, but there are some big mistakes being made in the industry that aren’t helping consumers hold up their end.

1. Most packaged computers come with a free trial of one antivirus software or another. Trials of 30, 60, or 90 days are about the worst idea ever. Don’t get me wrong, I understand the thinking: get a user hooked on your software with a trial so that they’ll be willing to pay for it when it expires. There’s just one problem. The software doesn’t expire in that it stops working, it simply stops updating virus definition files. Therefore when someone tells me they’re having problems with their computer and I ask if they have antivirus software installed, they happily respond “Yes!” when in fact, their software is outdated by a good 6 months or more. By allowing these trials on new machines, consumers are lured into a false sense of security. Meanwhile, their trial quietly expires and the latest virus finds its way onto their computer with ease. “But how did this happen? I just ran the virus scan yesterday and it didn’t find anything?!”
2. Unfortunately not all software is helpful. Worse yet, most people can’t tell the difference between the good and the bad. Some definitions easily found via Google…

   malware

   a) A generic term increasingly being used to describe any form of malicious software; eg, viruses, trojan horses, malicious active content, etc.

   b) Malicious software that is designed by people to attack some part of a computer system.

   spyware

   a) A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use spyware to gather data about customers. The practice is generally frowned upon.

   b) A technology that assists in gathering information about a person or organization without their knowledge. On the Internet, “spyware is programming that is put in someone’s computer to secretly gather information about the user and relay it to advertisers or other interested parties.” As such, spyware is cause for public concern about privacy on the Internet.

   adware

   a) While not necessarily malware, adware is considered to go beyond the reasonable advertising that one might expect from freeware or shareware. Typically a separate program that is installed at the same time as a shareware or similar program, adware will usually continue to generate advertising even when the user is not running the originally desired program. See also cookies, spyware, and web bugs.

   b) software that may have been installed on your computer by a remote site. Many free utilities that you download from the Internet will install hidden software that sends details of the websites you visit and other information from your computer (which can include your email address) to advertisers so they can target you with popup ads and spam. See Spam, Spyware.

   Most people have experienced that moment when they find something on their computer that they don’t remember installing. Most simply brush it off, but those that don’t will usually find things that fall into one of those three categories: malware, spyware, or adware (I’ll refer to everything as spyware to keep it simple). One could argue that they are all related and therefore part of the same issue. Security. Privacy. Call it what you like, it’s a problem that is getting ridiculous. I’ve worked on computers with literally hundreds of items considered to be bits and pieces of spyware. The problem isn’t necessarily apathy (although it definitely can be), but more often it’s a lack of education. Users see a box pop up asking them a question and click without thinking. They download a program with some extra stuff along for the ride, and just like that they are infected.

   So what’s being done to combat spyware? Well, there are companies out there like Lavasoft USA and Safer Networking Limited, creators of Ad-Aware and Spybot – Search and Destroy. Both will scan your computer for items considered to be spyware and remove them for you. I recommend both programs and use them every week or two. Finally, some companies are beginning to take a stand on the issue and Congress has gotten in on the act as well, passing anti-spyware legislation. Still, I won’t hold my breath for big changes. Some people must make a lot of money from software like this or there would be no reason to keep making it.

3. Wireless networking is becoming increasingly popular. It’s everywhere from PDAs and cell phones to laptops and even desktops. And while it makes some people’s lives a lot simpler by freeing them from the bounds of wires, there are big security risks that most people don’t even consider. As of now, there is still no wireless security standard comparable to that of wired networks. The most common form of wireless security simply requires a pre-shared encryption key that once learned will give a person full access to a wireless network. Give me a day or two with the right tools and I could probably learn the encryption key of any wireless network without ever needing to ask for it.

   To make matters worse, most wireless networking components have security turned off be default. And while it may be much simpler to set up your wireless network without worrying about encryption keys, you’re leaving yourself extremely vulnerable. Since I got my laptop with it’s built-in wireless card, I’ve had occasion to visit friends off campus and notice the sheer number of wireless access points available. I’d say 80-90% are unsecured. Not only could people potentially steal internet access, but in the process they’re connected directly to your network with little to no effort.

It’s probably foolish to think there is such a thing as a perfectly secure system. But there are plenty of things you can do to get closer to the ideal. Install a popup blocker (better yet, run a web browser that does it for you like FireFox). Download and use Ad-Aware and Spybot (don’t forget to keep them updated). Turn Windows Firewall on. Oh, and download Windows Updates (something I haven’t even touched here). Slowly but surely, the industry is providing the tools for consumers to protect themselves, but knowing where to look is half the battle. I’ve made it my personal goal to start educating users on these issues by teaching them to respect their systems and explaining why they’re having problems rather than just fixing things for them.